Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

ANNOUNCEMENT: Answers is being migrated to a brand new platform! answers.splunk.com will be read-only from 5:00pm PDT June 4th - 9:00am PDT June 9th. Please read this Answers thread for all details about the migration.

Welcome to Splunk Answers! Not what you were looking for? Refine your search.

Can you help me with Log Event Queueing on a Splunk Forwarder?

is there a way to set up log event event queuing and the chunking of queued events on the forwarder side?

Our problem is that our forwarders flood our indexer with events when it is back online after an outage due to maintenance or other reasons and some of those events are not indexed and get lost.

The fowarders are configured to use acknowledgement and SSL to encrypt the traffic between forwarders and indexers. The use of SSL and acknowledgement is required by the orgranizations data management and securicy policies.

Utilization on the indexer is quite low. CPU ist always <10% even after bringing them up online after maintainance.

Any suggestions or ideas, like a configuration to send queued events in chunks of like 10 Mb and how to do that?

People who like this

1 Answer

Forwarders automatically queue data when they can't reach an indexer. Usually, that queue is enough to hold events until an indexer is available, but it may not be enough if all are indexers are down for a prolonged period or if a lot of events are generated during the outage.

The maxQueueSize setting in outputs.conf may help. Increasing the value from the default of 500KB should help.

If you have enough resources, consider standing up a second indexer so you're more likely to have one available at all times. It'll help with search performance, too.

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here. Closing this box indicates that you accept our Cookie Policy.